| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <023201c47577$1cd1dc50$0400a8c0@AMDLAPTOP1> From: angray at beeb.net (Aaron Gray) Subject: Crash IE with 11 bytes ;) > Here's a detailed description of what's going wrong with [STYLE]@;/* > > The problem is the unterminated comment "/*"; IE computes the length of > the comment for a memcpy opperation by substracting the end pointer form > the start pointer. The comment starts behind "/*" and should end at "*/", > but since there is no terminator, the start of the string is used. IE > there for calculates the string to be -2 unicode characters long. The > subsequent memcpy will try to copy 0xFFFFFFFE bytes untill it gets a read > or write exception. (You will see the offending instruction is a REP > MOVSD) > > Unfortunately for us hackers, I believe you cannot control the length > value for the memcpy other then setting it to -2. So you will always cause > a read or write exception. You will only overwrite a small part of the > heap before the exception is caused so overwriting the SEH to controlling > execution is also ruled out. > > Conclusion: lame DoS > > I did find another way to use this to cause an exception at a different > location: > [SCRIPT] > <snip> > [/SCRIPT] > This will crash because of a null pointer in a CMP [ESI], 0. > It didn't look interesting to me, so no detailed investigation. > > Cheers, Cheers, nice analysis, nasty bug, I bet the guy who wrote the code is feeling very sheepish :o) TCS -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040729/36dc73d7/attachment.html
Powered by blists - more mailing lists